Uber, Just Pretend You’re a Public Company

In last week’s cover story, Barron’s addressed the increasing trouble surrounding the unicorn class—start-ups valued at $1 billion or more. In the story, I argued that investors’ embrace of these privately held companies enabled weak governance and poor behavior at many unicorns, and cited Uber Technologies as Exhibit A. Sure enough, Uber again lived up to that billing days after the story ran. Last week, the ride-sharing company said it had suffered a data breach resulting in the theft of information about 57 million customers.

And that wasn’t even the worst of the news. Uber sat on the information for a year, and paid a reported $100,000 ransom for the hackers to hide the breach.

Public companies don’t have the “luxury” of hiding troubling news.
Target
(ticker: TGT) and Home Depot (HD) revealed their high-profile breaches within days of learning the news. Even
Equifax
(EFX), not exactly the poster child for best practices, reported its recent breach within six weeks of the occurrence.

Uber has a history of playing by its own set of private rules. Without the onus of public-company disclosures, the company presumably felt no pressing need to update customers and the public about the hack. The breach occurred under then-CEO Travis Kalanick, Uber’s controversial co-founder, who was pushed out as boss this past summer. Still, the latest incident undermines the reformation campaign begun by Uber’s new chief executive, Dara Khosrowshahi, who took the post in September.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a statement last Tuesday, adding that “we have to be honest and transparent as we work to repair our past mistakes.”

Only to a degree, it seems. A few days later, The Wall Street Journal reported that Khosrowshahi had known about the breach for two months. His squeaky-clean image is already being challenged by Uber’s cagey ways.

It’s fair to wonder how much will change at Uber, so long as the company remains private. Uber won’t have to address questions from Wall Street analysts in its next quarterly earnings call. And the company seems unlikely to disclose the fallout from the breach in terms of costs, whether real or reputational. Without the discipline of going public, there’s little holding Uber to account.

Public companies are facing increasing pressure to address the risks of cybersecurity. A Barron’s analysis of annual 10-K filings shows a clear upward trend among big public companies warning about the threat. This year, 204 companies in the Standard & Poor’s 500 index cited the threat of a data breach in the risk-factor section of their 10-Ks. That’s up from just 56 companies in 2011, according to the data I pulled from Sentieo, a financial data platform.

But there’s another way to look at the findings: More than half of the S&P 500 has yet to adequately address the data-breach risk with shareholders.

There is good reason to wonder how much investors care about the risk, or even the damage. Equifax shares plunged 35% after its data breach was disclosed, but that seems to be the exception, not the norm. There was no large selloff after Target and Home Depot reported their breaches in 2013 and 2014, respectively.

Thanks to Home Depot’s latest 10-K, we now know that the company was hit with $198 million in costs related to the breach—and that’s after a $100 million insurance payment. Analysts have a way of writing these things off as one-time events, even though Home Depot can’t guarantee there won’t be more fallout from the 2014 breach, or new breaches to come. Earlier this year, the company bought a new $100 million insurance policy “to limit the company’s exposure to similar losses.”

Investors haven’t blinked. Home Depot shares are up 90% since the breach was disclosed in September 2014, about triple the S&P 500’s gain. On Friday, the stock hit an all-time high of $173.

FOR CORPORATE AMERICA, the lesson may be that disclosure is more important than the event itself. By giving shareholders a way to quantify the impact, Home Depot regained investors’ trust. Strong sales suggest that Home Depot’s customers have forgiven the company, as well.

Uber recently said it plans to go public in 2019. A few months before the initial public offering, the company will have to file a detailed prospectus, including financial details and other material information. Those documents could contain more information about the latest breach, as well as Uber’s battles with regulators in the U.S. and abroad.

But there’s nothing forcing the company to wait for an IPO. Uber is already larger than many public corporations and, theoretically could choose to report like one. That’s the right step for a company serious about transparency and honesty. I asked the company’s press office last week if Uber would consider such a plan. I never heard back.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.